Okta Identity

Okta is a cloud-based identity and access management provider that centralizes user identity across your organization. Adding an Okta Identity event source allows SIEM (InsightIDR) to ingest user data from Okta for user attribution. You only need to configure one Okta event source per organization, even if you manage multiple Okta applications.

To set up Okta Identity:

1. Read the requirements and complete any prerequisite steps.
2. Configure Okta to send data to SIEM (InsightIDR).
3. Configure SIEM (InsightIDR) to receive data from the event source.

Requirements

Before you start the configuration:

• Ensure you have Okta administrator privileges with ‘Read-Only’ permissions or higher.
• It is recommended that you create an Okta service account, so that you can create API tokens and assign the tokens the required privilege levels.
• Learn more about creating API tokens by visiting the Okta documentation at: https://developer.okta.com/docs/guides/create-an-api-token/main/ 

Configure Okta Identity to send data to SIEM (InsightIDR)

To send data to SIEM (InsightIDR), you must create an API token in Okta with a user account that is enrolled in multi-factor authentication (MFA).

Okta uses a bearer token for API authentication with a sliding scale expiration. Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed for your organization. Deactivating a user account in Okta will simultaneously deprovision the associated API tokens.

To create an API token in Okta:

1. Log in to Okta and select API from the Security menu.
2. Click the Create Token button. The token inherits the permissions of the user account used to create the token.
3. Follow the instructions that the Okta screen displays to finish creating the token.
4. Record the Token value to enter later in SIEM (InsightIDR).

Configure SIEM (InsightIDR) to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Okta Identity

1. In the left menu, click Data Connectors. Go to SIEM > Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Okta Identity in the event sources search bar.
   • In the Product Type filter, select Identity Provider.
3. Select the Okta Identity event source tile.

Task 2: Set up your collection method

You can collect user data from Okta Identity through a cloud connection.

1. Name the event source. This will become the name of the log that contains the event data in Log Search.
2. In Connectivity Details, click Add a New Connection.
3. In the Create a Cloud Connection screen, enter a name for the new connection.
4. In the Okta Domain field, enter the domain that you obtained in the previous section, Configure Okta to send data to SIEM (InsightIDR).
5. In the Select Credential field, add a new credential:
   • Name your credential.
   • Describe your credential.
   • Select the credential type.
   • Enter the API token that you obtained in the previous section, Configure Okta to send data to SIEM (InsightIDR).
6. Select whether the current product or all Rapid7 products should be able to use this credential.
7. Click Save & Test Connection.

Test the configuration

To test that event data is flowing into SIEM (InsightIDR):

1. From the Data Collection Management page, open the Event Sources tab.
2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.

Okta to SIEM (InsightIDR) status mapping

When the user data is ingested by SIEM (InsightIDR), the following Okta user statuses will map to the corresponding SIEM (InsightIDR) status in User Details in Users and Accounts: